Added malware advisory cutoff date, to ignore old advisories

aegilops · aegilops · commit bff486995a50 · 2025-10-02T17:27:24.000+01:00
diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ npm run start -- --sync-sboms --enterprise ent --base-url https://github.interna
 | `--sync-malware` | Fetch & cache malware advisories (MALWARE classification). Requires a GitHub token |
 | `--match-malware` | Match current SBOM set against cached advisories |
 | `--malware-cache <dir>` | Advisory cache directory (required with malware operations) |
+| `--malware-cutoff <ISO-date>` | Ignore advisories whose publishedAt AND updatedAt are both before this date/time (e.g. `2025-09-29` or full timestamp) |
 | `--sarif-dir <dir>` | Write SARIF 2.1.0 files per repository (with malware matches) |
 | `--upload-sarif` | Upload generated SARIF to Code Scanning (requires --match-malware & --sarif-dir and a GitHub token) |
 | `--concurrency <n>` | Parallel SBOM fetches (default 5) |
@@ -144,6 +145,27 @@ npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malwar
 
 If you also perform a search in the same invocation (add `--purl` or `--purl-file`), the JSON file will contain both `malwareMatches` and `search` top-level keys.
 
+#### Advisory Date Cutoff
+
+Use `--malware-cutoff` to exclude older advisories from matching. An advisory will be skipped if **both** its `publishedAt` and `updatedAt` timestamps are strictly earlier than the cutoff.
+
+Accepted formats:
+
+- Plain date: `YYYY-MM-DD` (interpreted as `YYYY-MM-DDT00:00:00.000Z`)
+- Full ISO timestamp: e.g. `2025-09-29T15:30:00Z`
+
+Examples:
+
+```bash
+# Ignore advisories published & last updated entirely before Sept 29 2025
+npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malware --malware-cutoff 2025-09-29
+
+# Using a precise timestamp (keep advisories updated later that day UTC)
+npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malware --malware-cutoff 2025-09-29T12:00:00Z
+```
+
+Rationale: This lets you focus on newly introduced / recently changed malware advisories (e.g., during incremental monitoring) without re-reporting older historical matches. Advisories updated after the cutoff remain eligible even if originally published earlier.
+
 ### Progress bar & log noise suppression
 
 When collecting a large number of SBOMs you can enable a lightweight progress bar:
diff --git a/src/cli.ts b/src/cli.ts
@@ -31,6 +31,7 @@ async function main() {
     .option("match-malware", { type: "boolean", default: false, describe: "After sync/load, match SBOM packages against malware advisories" })
     .option("sarif-dir", { type: "string", describe: "Directory to write SARIF 2.1.0 files (one per repository) when --match-malware is used" })
     .option("upload-sarif", { type: "boolean", default: false, describe: "Upload generated SARIF (per-repo) to the Code Scanning API (requires --match-malware)" })
+    .option("malware-cutoff", { type: "string", describe: "Ignore advisories whose publishedAt and updatedAt are both before this ISO date (e.g. 2025-09-29)" })
     .option("purl-file", { type: "string", describe: "Path to file with PURL queries (one per line; supports version ranges & wildcards; # or // for comments)" })
     .option("json", { type: "boolean", describe: "Emit search results as JSON to stdout (suppresses human output unless --cli also provided)" })
     .option("cli", { type: "boolean", describe: "When used with --json, also emit human-readable CLI output" })
@@ -45,7 +46,7 @@ async function main() {
         if (!args.sbomCache) throw new Error("Offline mode requires --sbom-cache (omit --sync-sboms)");
       }
       // If --cli is specified in combination with JSON or CSV, require an output file to avoid mixed stdout streams.
-      if (args.cli && !args.outputFile && ( args.json || args.csv ) ) {
+      if (args.cli && !args.outputFile && (args.json || args.csv)) {
         throw new Error("--cli with --json or --csv requires --output-file to avoid interleaving JSON and human output on stdout.");
       }
       // check that --malware-cache is provided
@@ -118,7 +119,7 @@ async function main() {
   let malwareMatches: import("./malwareMatcher.js").MalwareMatch[] | undefined;
   if (argv["match-malware"]) {
     const { matchMalware, buildSarifPerRepo, writeSarifFiles, uploadSarifPerRepo } = await import("./malwareMatcher.js");
-    malwareMatches = matchMalware(mas.getAdvisories(), sboms);
+    malwareMatches = matchMalware(mas.getAdvisories(), sboms, { advisoryDateCutoff: argv["malware-cutoff"] as string | undefined });
     if (!quiet) console.log(chalk.magenta(`Malware matches found: ${malwareMatches?.length ?? 0}`));
     if (malwareMatches) {
       if (!quiet) {
@@ -220,7 +221,7 @@ async function main() {
   if (argv.csv) {
     const fs = await import("fs");
     // Collect search data if searches were run; reconstruct from collector if we have combinedPurls
-    let searchRows: Array<{ repo: string; purl: string; reason: string }> = [];
+    const searchRows: Array<{ repo: string; purl: string; reason: string }> = [];
     if (combinedPurls.length) {
       const map = collector.searchByPurlsWithReasons(combinedPurls);
       for (const [repo, entries] of map.entries()) {
@@ -236,7 +237,7 @@ async function main() {
       }
     }
     // CSV columns: type,repo,purl,reason_or_advisory,range,updatedAt
-    const header = ["type","repo","purl","reason_or_advisory","range","updatedAt"];
+    const header = ["type", "repo", "purl", "reason_or_advisory", "range", "updatedAt"];
     const sanitize = (val: unknown): string => {
       if (val === null || val === undefined) return "";
       let s = String(val);
diff --git a/src/malwareMatcher.ts b/src/malwareMatcher.ts
@@ -71,15 +71,40 @@ function versionInRange(ecosystem: string, version: string | null, range: string
   return false;
 }
 
-export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: RepositorySbom[]): MalwareMatch[] {
+export interface MatchMalwareOptions {
+  /** ISO date or datetime; advisories with both publishedAt and updatedAt before this are ignored */
+  advisoryDateCutoff?: string;
+}
+
+export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: RepositorySbom[], opts?: MatchMalwareOptions): MalwareMatch[] {
   const matches: MalwareMatch[] = [];
 
+  // Parse cutoff (inclusive) – if only a date (YYYY-MM-DD) given, treat as 00:00:00Z that day
+  let cutoffDate: Date | undefined;
+  if (opts?.advisoryDateCutoff) {
+    const raw = opts.advisoryDateCutoff.trim();
+    let iso = raw;
+    if (/^\d{4}-\d{2}-\d{2}$/.test(raw)) iso = raw + 'T00:00:00.000Z';
+    const parsed = Date.parse(iso);
+    if (!isNaN(parsed)) {
+      cutoffDate = new Date(parsed);
+    } else {
+      // eslint-disable-next-line no-console
+      console.warn(`Ignoring invalid advisoryDateCutoff value: ${raw}`);
+    }
+  }
+
   // Build advisory index keyed by ecosystem::name
   const index = new Map<string, MalwareAdvisoryNode[]>();
   for (const adv of advisories) {
     // Ignore advisories that have been withdrawn
-    // Assumes MalwareAdvisoryNode has an optional withdrawnAt (string | null | undefined)
     if ((adv as unknown as { withdrawnAt?: string | null }).withdrawnAt) continue;
+    // Ignore advisories older than cutoff (must be before cutoff in BOTH publishedAt & updatedAt to be excluded)
+    if (cutoffDate) {
+      const pub = new Date((adv as unknown as { publishedAt?: string }).publishedAt || 0);
+      const upd = new Date((adv as unknown as { updatedAt?: string }).updatedAt || 0);
+      if (pub < cutoffDate && upd < cutoffDate) continue;
+    }
     for (const vuln of adv.vulnerabilities) {
       if (!vuln.name || !vuln.ecosystem) continue;
       const key = `${vuln.ecosystem}::${vuln.name}`.toLowerCase();
